Skip to content

Remove whitespace from header field name in http response due to RFC7230:3.2.4 (#6793) #6794

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
oknet merged 1 commit into from
Jun 8, 2020
Merged

Remove whitespace from header field name in http response due to RFC7230:3.2.4 (#6793) #6794

oknet merged 1 commit into from
Jun 8, 2020

Conversation

@garfieldonly
Copy link
Contributor

@garfieldonly garfieldonly commented May 15, 2020

We should remove whitespace from header fieldname in http response
#6793

@garfieldonly garfieldonly force-pushed the #6793 branch 2 times, most recently from c475fd0 to 9ab6daf Compare May 15, 2020 08:57
@garfieldonly garfieldonly changed the title #6793 #6793 Remove whitespace from header field name in http response due to RFC7230:3.2.4 May 15, 2020
@oknet oknet changed the title #6793 Remove whitespace from header field name in http response due to RFC7230:3.2.4 Remove whitespace from header field name in http response due to RFC7230:3.2.4 (#6793) May 15, 2020
@oknet
Copy link
Member

oknet commented May 15, 2020

[approve ci]

@oknet
Copy link
Member

oknet commented May 15, 2020

Good catch

@oknet
Copy link
Member

oknet commented May 15, 2020

@garfieldonly Please do clang-format and fix missing comma error.

@bryancall bryancall added the HTTP label May 15, 2020
@bryancall bryancall added this to the 10.0.0 milestone May 15, 2020
bryancall
bryancall previously requested changes May 15, 2020
View reviewed changes
@bryancall
Copy link
Contributor

bryancall commented May 15, 2020
edited
Loading

For reference, this is in the issue, but nice to have here too:
https://tools.ietf.org/html/rfc7230#section-3.2.4

No whitespace is allowed between the header field-name and colon. In
the past, differences in the handling of such whitespace have led to
security vulnerabilities in request routing and response handling. A
server MUST reject any received request message that contains
whitespace between a header field-name and colon with a response code
of 400 (Bad Request). A proxy MUST remove any such whitespace from a
response message before forwarding the message downstream.

@maskit maskit linked an issue May 18, 2020 that may be closed by this pull request
According to RFC7230:3.2.4,whitespace in repsonse header fieldname should be removed,not just return parse error #6793
Closed
@garfieldonly garfieldonly force-pushed the #6793 branch 2 times, most recently from ef1c819 to 87f044a Compare May 18, 2020 02:04
@oknet
Copy link
Member

oknet commented May 18, 2020

[approve ci]

oknet
oknet approved these changes May 18, 2020
View reviewed changes
Copy link
Member

@oknet oknet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good

@garfieldonly
Copy link
Contributor Author

garfieldonly commented May 18, 2020

@bryancall Please review the changes, thanks!

@garfieldonly garfieldonly removed their assignment May 20, 2020
@garfieldonly garfieldonly requested review from bryancall and oknet June 1, 2020 02:16
@scw00
Copy link
Member

scw00 commented Jun 5, 2020
edited
Loading

@zwoop any word on this pr?

@oknet oknet merged commit b13e348 into apache:master Jun 8, 2020
bryancall
bryancall reviewed Jun 16, 2020
View reviewed changes
Copy link
Contributor

@bryancall bryancall left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@zwoop
Copy link
Contributor

zwoop commented Jun 23, 2020

Cherry-picked to v9.0.x branch.

@zwoop zwoop removed this from the 10.0.0 milestone Jun 23, 2020
@zwoop zwoop added this to the 9.0.0 milestone Jun 23, 2020
@bryancall bryancall mentioned this pull request Sep 9, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bryancall bryancall bryancall left review comments

@oknet oknet Awaiting requested review from oknet

Assignees

No one assigned

Labels

HTTP

Projects

None yet

Milestone

9.0.0

Development

Successfully merging this pull request may close these issues.

According to RFC7230:3.2.4,whitespace in repsonse header fieldname should be removed,not just return parse error

5 participants

@garfieldonly @oknet @bryancall @scw00 @zwoop